spi: davinci: Fix use-after-free on unbind

davinci_spi_remove() accesses the driver's private data after it's been
freed with spi_master_put().

Fix by moving the spi_master_put() to the end of the function.

Fixes: fe5fd2540947 ("spi: davinci: Use dma_request_chan() for requesting DMA channel")
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Acked-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Cc: <stable@vger.kernel.org> # v4.7+
Link: https://lore.kernel.org/r/412f7eb1cf8990e0a3a2153f4c577298deab623e.1607286887.git.lukas@wunner.de
Signed-off-by: Mark Brown <broonie@kernel.org>

diff --git a/drivers/spi/spi-davinci.c b/drivers/spi/spi-davinci.c
index 818f2b2..7453a1d 100644 (file)
--- a/drivers/spi/spi-davinci.c
+++ b/drivers/spi/spi-davinci.c
@@ -1040,13 +1040,13 @@ static int davinci_spi_remove(struct platform_device *pdev)
        spi_bitbang_stop(&dspi->bitbang);
 
        clk_disable_unprepare(dspi->clk);
-       spi_master_put(master);
 
        if (dspi->dma_rx) {
                dma_release_channel(dspi->dma_rx);
                dma_release_channel(dspi->dma_tx);
        }
 
+       spi_master_put(master);
        return 0;
 }